Amanda Kearsley Director. Amanda Kearsley Director.
-
Upload
clarence-woods -
Category
Documents
-
view
243 -
download
0
description
Transcript of Amanda Kearsley Director. Amanda Kearsley Director.
Amanda KearsleyDirector
Amanda KearsleyDirector
Amanda KearsleyDirector
Introductory Guide to Data ProtectionHLA Conference 2011
Amanda KearsleyDirector
Why data protection matters to you …
CONSEQUENCES OF GETTING IT WRONG
ENFORCEMENT
FINES
CRIMINAL LIABILITY (potentially personal)
NEGATIVE PUBLICITY
CLAIMS FOR COMPENSATIONREDUCED DATABASE VALUE
THE DATA PROTECTION ACT and RELATED LAWS
BLUFF
A DATA CONTROLLER IS USUALLY THE IT
MANAGER OR DATA PROTECTION COMPLIANCE
OFFICER
QUICK QUIZ
YOU CAN DO PRETTY MUCH ANYTHING YOU WANT TO WITH
PERSONAL DATA
BLUFFTRUE
WILLIAM SHAKESPEARE IS
ENTITLED TO DPA
PROTECTION FOR HIS
PERSONAL DATA
IF YOU WANT TO MARKET BY
EMAIL OR SMS YOU NEED AN ‘OPT-IN’ FROM
THE INDIVIDUAL
BLUFF
What’s it all about?
THE DATA PROTECTION ACT
PROCESSING
DATA CONTROLLERS
PERSONAL DATA
DATA SUBJECTS
‘Data controller’ …
is a person determines the purpose for which and the manner in which
personal data are processed
Examples:
• Marks and Spencer PLC• Vodafone Limited• Leicestershire & Rutland Organisation for the Relief of Suffering Limited
NOT employees or third party data processors
‘Processing’ …
Virtually ANYTHING that can be done with personal data
Examples:
• obtaining, recording, holding• organising, altering• retrieving, consulting, using• disclosing, transmitting• combining, blocking, erasing, destroying
‘Data’ …
Information that is AUTOMATICALLY processed
Examples:
• on computers, PDAs, BlackBerrys• video systems, CCTV cameras, audio systems
Information processed in HIGHLY STRUCTURED MANUAL FILES
Examples:
• index card systems• HR files
‘Personal data’ …
Data relating to a LIVING IDENTIFIABLE INDIVIDUALS who can be identified from:
• THOSE DATA or• from those data AND OTHER DATA in the possession
of or likely to come into the possession of the data controller
Examples:
• contact details• video footage of staff leaving premises• list of winners of a competition• staff appraisals
‘Data subject’ …
An individual who is the subject of personal data
Examples:
• staff• officials• suppliers• family members
Recap …
Any person who is a DATA CONTROLLER that PROCESSES PERSONAL DATA relating to a DATA SUBJECT will be subject to the Data Protection Act 1998
THE 8 DATA PROTECTION PRINCIPLES
Principle 1
THE DATA PROTECTION ACT
FAIR & LAWFUL1 JUSTIFY PROCESSING
ORDINARY
Necessary
Legitimate
interests
SENSITIVE
Vital interests
Legal rights/
obligations
Consent
Explicit consent
Principle 2
THE DATA PROTECTION ACT
NOTIFY ON REGISTER OF DATA
CONTROLLERS
FAIR & LAWFUL1
LAWFUL & STATED PURPOSES2
DATA PROTECTION NOTICES
WHAT TO NOTIFY
FULL LEGAL ENTITY NAME OF THE DATA CONTROLLER
TRANSFERS OUTSIDE EEA
FEES ARE PAYABLE
RENEWABLE ANNUALLY
RECIPIENTSData subject himself, data processors
DATA CLASSESStaff,
customers. suppliers
PURPOSES FOR PROCESSINGStaff admin, marketing, trading in
personal data
EXEMPTION FROM NOTIFICATION
CERTAIN ‘NOT FOR PROFIT ORGANISATIONS’
STAFF ADMINSTRATION (including payroll)
MUST BE CONSTITUTED AS ‘NOT FOR PROFIT’
MUST ONLY USE THE PERSONAL DATA FOR THE FOLLOWING
OWN ADVERTISING, MARKETING AND PR
OWN ACCOUNTS AND RECORDS
CONTENT OF A DATA PROTECTION NOTICE
IDENTITY OF DATA CONTROLLER(S)
OPT-IN or OPT-OUT FOR DIRECT MARKETING
RIGHT TO ACCESS PERSONAL DATA
RIGHT TO CORRECT INACCURACIES
MARKETING METHODS Email and SMS require consent
DESCRIPTION OF DISCLOSURES AND DISCLOSEES PURPOSES
Commercial partners
DESCRIPTION OF PURPOSES (especially non obvious ones)
Administration, marketing,
profiling
MUST BE CLEAR, PROMINENT AND UNDERSTANDABLE
GIVEN AT TIME DATA ARE COLLECTED (if by 3rd party give as soon as reasonably practicable)
CAN BE USED TO OBTAIN CONSENTeg for processing sensitive personal data or email
marketing“by ticking this box you consent to...”
“if you do not consent to ... then tick this box...”“by clicking on the submit button you consent
to...”
What you say in a data protection notice dictates what you can do with the personal
data• make sure your notices are wide but accurate
• future proof them as much as possible• don’t miss anything out
Recap …
Principle 3
THE DATA PROTECTION ACT
FAIR & LAWFUL1
LAWFUL & STATED PURPOSES2
ADEQUATE, RELEVANT & NOT TOO MUCH
3
Principle 4
THE DATA PROTECTION ACT
FAIR & LAWFUL1
LAWFUL & STATED PURPOSES2
ADEQUATE, RELEVANT & NOT TOO MUCH
3
ACCURATE & UP-TO-DATE4 POLICIES ON UPDATING
Principle 5
THE DATA PROTECTION ACT
FAIR & LAWFUL1
LAWFUL & STATED PURPOSES2
ADEQUATE, RELEVANT & NOT TOO MUCH
3
ACCURATE & UP-TO-DATE4
NOT FOR LONGER THAN NECESSARY
5 RETENTION and
DESTRUCTION POLICIES
Principle 6
THE DATA PROTECTION ACT
FAIR & LAWFUL1
LAWFUL & STATED PURPOSES2
ADEQUATE, RELEVANT & NOT TOO MUCH
3
ACCURATE & UP-TO-DATE4
NOT FOR LONGER THAN NECESSARY
5
RIGHTS OF INDIVIDUALS6 SUBJECT ACCESS
OPT-OUT OF DIRECT MARKETING
OBJECT TO AUTOMATED DECISIONS
Principle 7
THE DATA PROTECTION ACT
FAIR & LAWFUL1
LAWFUL & STATED PURPOSES2
ADEQUATE, RELEVANT & NOT TOO MUCH
3
ACCURATE & UP-TO-DATE4
NOT FOR LONGER THAN NECESSARY
5
RIGHTS OF INDIVIDUALS6
APPROPRIATE SECURITY7
Principle 7
THE DATA PROTECTION ACT
FAIR & LAWFUL1
LAWFUL & STATED PURPOSES2
ADEQUATE, RELEVANT & NOT TOO MUCH
3
ACCURATE & UP-TO-DATE4
NOT FOR LONGER THAN NECESSARY
5
RIGHTS OF INDIVIDUALS6
APPROPRIATE SECURITY7
MEASURES REQUIREDNature of the data
State of technology?Cost
Reliable employees
Using data processors?
Security guaranteeAudit compliance
Written contractController’s instructions7th principle obligations
Principle 8
THE DATA PROTECTION ACT
FAIR & LAWFUL1
LAWFUL & STATED PURPOSES2
ADEQUATE, RELEVANT & NOT TOO MUCH
3
ACCURATE & UP-TO-DATE4
NOT FOR LONGER THAN NECESSARY
5
RIGHTS OF INDIVIDUALS6
APPROPRIATE SECURITY7
TRANSFERS OUTSIDE EEA8 ONLY TO TERRITORIES WITH
AN ‘ADEQUATE LEVEL OF
PROTECTION’
CAN YOU?
Demonstrate you have not been an Idiot …
QUESTION 1Which of the following is not a power of the ICO?
(a) to impose fines
(b) to issue an enforcement notice
(c) to impose a custodial sentence
(d) to enter property and seize documents
✓
QUESTION 2Which of the following is not a data subject?
(a) Prince Charles
(b) Princess Diana
(c) Prince William
(d) The Duke and Duchess of Cambridge’s first born
✓
✓
QUESTION 3Which of the following is not ‘data’?
(a) An email
(b) A message on a post-it note
(c) CCTV image
(d) A HR file
✓
QUESTION 4Which of the following are not ‘personal data’?
(a) Date of birth of the head of your organisation
(b) Address of your organisation
(c) The name of the person who answers the phone in your business
(d) A customer’s opinion of your latest scratch card competition
✓
QUESTION 5Which of the following are not ‘sensitive personal data’?
(a) Financial records
(b) Criminal Records Bureau disclosures
(c) Staff medical records
(d) Political opinions
✓
QUESTION 6Which of the following are not DPA principles?
(a) The data controller must process fairly and lawfully
(b) The data controller must make sure that personal data are accurate and up-to-date
(c) The data controller must obtain consent for direct marketing
(d) The data controller must take appropriate security measures to protect personal data
✓
QUESTION 7Which of the following is not a right given to data subjects under the DPA?(a) The right to access all information held
(b) The right to opt-out of direct marketing
(c) The right to object to automated decision making
(d) The right to prevent processing likely to cause damage and distress
✓
1 DPO. Appoint somebody within your organisation to be responsible for data protection 2 Notification. Notify the ICO – unless your organisation is exempt and ensure your
notification is kept up to date3 Data protection notices. Have well drafted and future proof data protection notices
(and use them!!)4 Justification. Justify your processing 5 Quality. Ensure you capture data accurately and keep it up to date6 Data processors. Have contracts in place with your data processors and monitor they
are doing what they say they will do7 Security. Have and use appropriate security for all personal data8 Policies. Have appropriate policies in place (including retention, deletion, security)9 Rights. Comply with all data subject rights (eg right to opt out if direct marketing and
right of access)10 Training. Ensure staff are trained in their responsibilities